It's Not (Just) About EMR Software Security

We recently discussed a report that provided an overview of the security breach trends at 300 health care providers. Some took the post to be a condemnation of EHR security. That is too narrow of an interpretation. The post was meant to convey the lack of maturity, pervasive in the health care industry, when it comes to security controls.

We recently discussed a report that provided an overview of the security breach trends at 300 health care providers. Some took the post to be a condemnation of EHR security. That is too narrow of an interpretation. The post was meant to convey the lack of maturity, pervasive in the health care industry, when it comes to security controls.For background, take a look at the original post Steady Bleed: State of HealthCare Data Breaches. In short, that post highlighted how health care providers large and small suffered dozens to more than 100 security breaches a month.

Now, whenever you provide figures and data that rub against the bias of some, you are bound to get a degree of push-back. It appears John at the site EHR and HIPAA took exception:

Now, I'll be the first to acknowledge that more can always be done. I even agree that more can and needs to be done to protect patient information. However, I don't agree with the article's assertion that the use of an electronic health record (EHR) is the reason why health care providers are so poorly securing patient information.

Many of you might remember my post on EMR and EHR about HIPAA Breaches related to EMR. In that post, I discuss how it's unfair for someone to automatically assume that if there was a breach, then it was the electronic medical record software's fault. In the analysis I did in the above post, I found that most of the HHS list had nothing to do with EMR software. In fact, many of the HIPAA breaches were lost devices which contained lists of insurance information. EHR had nothing to do with that.

I'm not saying that breaches don't happen with an EMR. They do. However, most of the examples given in the Information Week article could have happened just as easily in the paper world. It didn't take an electronic health record for people to start looking up famous sports stars health information.

John is correct to say that most every breach that occurs with EMRs can - and do - occur on paper-based systems. That's also true of every other type of online security problem. There's nothing new about identity or credit card theft - but the move to electronic records has increased the volume and velocity of these attacks. Blogger Dissent at PHIprivacy.net expressed what makes electronic records different.

According to Privacy Rights Clearinghouse there have been 14,555,641 medical records breached since 2005. Many of them are paper records. Which helps to substantiate my point: the health care industry is lackadaisical when it comes to protecting patient records - and the rush to digitize these records is going to exacerbate the problem.

The challenge is the lack of security and risk management maturity surrounding the entire life-cycle of the data and the IT infrastructure that supports it. So yes: the problems go well beyond the software security of medical record software. The challenges include the policies and how they are enforced at each location to mitigate risk. How is data at-rest encrypted? Are users permitted to take patient data off premise on notebooks or thumb drives? How are software vulnerabilities and secure system configurations managed? How about identity management and access rights? And how are paper and digital records destroyed when they reach the end of their life-cycle?

You get the idea.

Based on my interviews, most health care organizations aren't doing enough in many of these areas. Don't take my word on it, which is based on dozens, perhaps hundreds, of discussions with IT managers. Let's use the findings of Auditor-General John Doyle and his staff (who recently investigated the security of electronic record-keeping at the Vancouver Coastal Health Authority). Here's their report [.pdf], and while it's a Canadian report, the same challenges apply here in the U.S.:

In every key area we examined - from the management and assignment of user access to security controls within the health authority's computing environment - we found serious
weaknesses.

Because PARIS users are not granted access on a "need-to-know" basis, sensitive and confidential health care records were accessible to thousands of users who have neither the need nor the right to see the information. Security controls throughout the network and over the database were so inadequate that there was a high risk of external and internal attackers being able to access or extract information, without VCHA even being aware of it. Fundamental controls to prevent or detect unauthorized access to the system were
lacking, and monitoring.

And there's another data point that substantiates my point. And it goes well beyond merely the inherent insecurity of software. The problem is systemic throughout the industry in how it secures patient data.

For my security and technology observations throughout the day, find me on Twitter.

Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.

Published: 2017-05-09NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.